Date: 28 February 2012
References: ESB-2012.0487
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0227
postgresql-8.4 security update
28 February 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: postgresql-8.4
Publisher: Debian
Operating System: Debian GNU/Linux 6
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Increased Privileges -- Existing Account
Unauthorised Access -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0868 CVE-2012-0867 CVE-2012-0866
Original Bulletin:
http://www.debian.org/security/2012/dsa-2418
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running postgresql-8.4 check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2418-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 27, 2012 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : postgresql-8.4
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0866 CVE-2012-0867 CVE-2012-0868
Several local vulnerabilities have been discovered in PostgreSQL, an
object-relational SQL database. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2012-0866
It was discovered that the permissions of a function called by a
trigger are not checked. This could result in privilege escalation.
CVE-2012-0867
It was discovered that only the first 32 characters of a host name
are checked when validating host names through SSL certificates.
This could result in spoofing the connection in limited
circumstances.
CVE-2012-0868
It was discovered that pg_dump did not sanitise object names.
This could result in arbitrary SQL command execution if a
malformed dump file is opened.
For the stable distribution (squeeze), this problem has been fixed in
version 8.4.11-0squeeze1.
For the unstable distribution (sid), this problem has been fixed in
version 8.4.11-1.
We recommend that you upgrade your postgresql-8.4 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9LwJ4ACgkQXm3vHE4uyloAzgCfY91eNaRw1c0BbV5h+nDyPCid
RMkAnj9R/A/5oW22U9vRx97RHkd8yDc2
=T+uw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT0wzX+4yVqjM2NGpAQIJ8xAAnBcelSwVUZWoD+ZMXgpN307goVaoflAN
f/SdOWQe00o7JpaXuyLq+hV0prw8qr8uEjYw+G1wXWgwTXmBvX/G6Nl0X6cie9YR
fAw96gpAjnEldeoNbABadbishneM/0ISwyyUG6nWCymBhvo3YhQjqu5SLnShJhGI
K860KKUfFup2aLWFVX1ziqP1/F2vVBSVC4nonDV88BvbLWUh5lZz3H38usErR3li
WLCc9OPP8dxisGKshLft44dlsFPORA2HXc3uvi55EQFlHQammFevI2Uy91E1CyAt
gwt8rlwkpQJQ6d9zwMP78nE5D06Kci+U3/f0KuKV4zyJ4rnofLQo0uQJpg3ahEHv
RCx442pLVPO/jKyuhV76vVERBJSnn4+UtqCP/dDKHuDnGmg8TAnbx5haY0zKc9Q+
XDwR30F3lLmK3E6gD6vN1RqhTbH6rvRNSK/0pP52ac0D2/7wbzK5c+K8lsGhwecx
vAQGIU40l4R9d0R0coofDLxsSAzbEVCLDFaSHnoC4KqKlOuBkPq4euxgoytU70qc
kxyEn2Z8dJg3+LGnPFwmtQLecHOMyc1FvBj8bQH2TIBlCpTGXkEg+VJ5BFwcKu7O
4cQmlJgGLZYLVwqxAc6ne+SszUGe4IflGpNR2oKZD2Y8VhG0hR6nQE3YTf4p+NBC
+FizeGDJo4M=
=vlOH
-----END PGP SIGNATURE-----
|